Description

Missing authorization checks in the Backend Routing of TYPO3 CMS versions 9.0.0‑9.5.54, 10.0.0‑10.4.53, 11.0.0‑11.5.47, 12.0.0‑12.4.36, and 13.0.0‑13.4.17 allow backend users to directly invoke AJAX backend routes without having access to the corresponding backend modules.

Remediation

References

CVE-2025-59017

Related Vulnerabilities

WebLogic Deserialization of Untrusted Data Vulnerability (CVE-2022-23307)

WordPress Plugin Video Chat Multiple Cross-Site Scripting Vulnerabilities (1.4.1)

WordPress Plugin wpForo Forum Cross-Site Scripting (1.4.11)

WordPress Plugin Simple Image Sizes Unspecified Vulnerability (2.2.4)

WordPress Plugin Floating Chat Widget:Contact Chat Icons, Telegram Chat, Line, WeChat, Email, SMS, Call Button-Chaty SQL Injection (3.0.2)

Severity

High

Classification

CVE-2025-59017 CWE-862 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities